I'm running NetBSD with pf and authpf for my firewall. I wrote the rules myself, which have seemed to work well for the past year or so. AuthPF is only used for wireless clients coming through my WLAN.

The problem I'm facing is I want to exempt a client from having to authorize against the AuthPF and bypass the rules. The client is an iPhone (192.168.1.15).

Now here is the weird part...This has been working fine for a good year with my Nokia. Today I got the new iPhone, and in DHCP all I did was remove the MAC address of the Nokia and replaced it with the MAC of the iPhone. Restarted DHCP and told the iPhone to renew the lease. This all worked fine and it obtained the correct IP. However, when I try and browse, all my requests are being redirected (as per my rules for non-authenticated users).

Nothing in the pf.conf changed, so I'm not sure where the issue is. The only thing that changed was the phone (and the browser used) and the MAC address in DHCP.

Below is my /etc/pf.conf ... Any insight is much appreciated.

Code:

##########
# Macros #
##########
ext_if="ppp0"
int_if="fxp0"
wi_if="fxp1"
adsl_if="sip0"
homer="192.168.0.2"
krusty="192.168.1.1"
auth_web="192.168.0.10"
phone="192.168.1.15"
routable="{ 192.168.0.0/24, 192.168.1.0/24 }"
nonroutable="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"
###########
# Options #
###########
set block-policy drop
set loginterface $ext_if
#########
# Scrub #
#########
scrub no-df random-id fragment reassemble
##########
# Tables #
##########
table <authpf_users> persist
###########
# NAT/RDR #
###########
nat on $ext_if from $routable to any -> ($ext_if)
nat on $adsl_if from $routable to any -> ($adsl_if)
# Azureus
rdr on $ext_if proto tcp from any to any port 61980 -> $homer port 61980
rdr on $ext_if proto udp from any to any port 61980 -> $homer port 61980
# uTorrent
rdr on $ext_if proto tcp from any to any port 10394 -> $homer port 10394
rdr on $ext_if proto udp from any to any port 10394 -> $homer port 10394
# WWW redirect for non-AuthPF users
rdr on $wi_if proto tcp from ! <authpf_users> to any port 80 -> $auth_web
# WWW from Internet to krusty ***TEMP***
#rdr on $ext_if proto tcp from any to any port 80 -> $auth_web
# uTorrent Web-UI
# rdr on $ext_if proto tcp from any to any port 8181 -> $homer port 8181
################
# Filter Rules #
################
pass out quick keep state
pass quick on lo0
# Azureus
pass in quick on $ext_if proto tcp from any to any port 61980 flags S/SA keep state
pass in quick on $ext_if proto udp from any to any port 61980
# uTorrent
pass in quick on $ext_if proto tcp from any to any port 10394 flags S/SA keep state
pass in quick on $ext_if proto udp from any to any port 10394
# SSH
pass in quick on $ext_if proto tcp from any to any port 22 flags S/SA keep state
# Non routable
block drop in quick on $ext_if from $nonroutable to any
block drop out quick on $ext_if from any to $nonroutable
# DNS, SSH & WWW-redirect for wireless so user can AuthPF
pass in quick on $wi_if proto udp from 192.168.1.0/24 to any port 53
pass in quick on $wi_if proto tcp from 192.168.1.0/24 to $krusty port 22 flags S/SA keep state
pass in quick on $wi_if proto tcp from ! <authpf_users> to any port 80 flags S/SA keep state
# Mobile WiFi access
pass in quick on $wi_if from $phone to any flags S/SA keep state
# WWW from Internet to krusty ***TEMP***
#pass in quick on $ext_if proto tcp from any to any port 80 flags S/SA keep state
# uTorrent Web-UI
# pass in quick on $ext_if proto tcp from any to any port 8181 flags S/SA keep state
# AuthPF anchor
anchor "authpf/*"
# Drop All
block in quick on $wi_if
block in quick on $ext_if